Solved: Restrict Internet Access

ifeoyenuga · ‎11-04-2015

Hi, I have a radio link from my office to another location. This radio link is connected to an access switch at my office. They are on the same Vlan.

I'm tryin to look for a way to restrict them internet access but they must stilll have access to all the servers ( domain controllers and Exchange servers). also they must be able to access some resources like Outlook Anywhere and some internal web applications

It the an access list that can do this.

Thank you

Glennmar Milliner · ‎11-04-2015

ifeoyenuga

It depends on the devices you have (router/switch) and it you just want to restrict the bandwidth they use for internet access or if you want to block it completely. If you want to limit the bandwidth used then QoS would be an option but if you want to deny the access to the internet entirely then an ACL will be the way to go. To me it looks like you really want the second option. You should use an extended ACL matching the destination ports used for http.

Let us assume that those users that you want to restrict are on a 10.10.10.0/24 network.

R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#
R1(config)#ip access-list extended nonotointernet
R1(config-ext-nacl)#
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq pop3
<--- will allow TCP traffic for port 110 --->
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq 995
<--- will allow TCP traffic for port which is used for POP3 securely --->
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq smtp
<--- will allow TCP traffic for port 25 --->
R1(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 host 192.168.1.1
<--- will allow traffic (TCP/UDP) for your servers. This is for one specific host/IP, you could use a wildcard to widen the range of your servers are in a continuos range --->
R1(config-ext-nacl)#deny tcp 10.10.10.0 0.0.0.255 any eq www
<--- will deny TCP traffic for the web, port 80/http --->
R1(config-ext-nacl)#deny tcp 10.10.10.0 0.0.0.255 any eq 443
<--- will deny TCP traffic for https --->
R1(config-ext-nacl)#

So without all the explanations it will look like this.

R1(config)#ip access-list extended nonotointernet
R1(config-ext-nacl)#
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq pop3
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq 995
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq smtp
R1(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 host 192.168.1.1
R1(config-ext-nacl)#deny tcp 10.10.10.0 0.0.0.255 any eq www
R1(config-ext-nacl)#deny tcp 10.10.10.0 0.0.0.255 any eq 443
R1(config-ext-nacl)#

You could do a "?" after eq to see what programed options you have on your IOS.

Apply it to the interface or vlan coming back to your location. The direction and interface where you apply it could vary.

R1(config)#interface fastEthernet 0/0
R1(config-if)#
R1(config-if)#ip access-group nonotointernet out

Check out the following link, it will give you more details on how it works and what you could actually do...

IP Access List Overview
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-access-list-ov.html#GUID-1918DDA1-E728-4CD7-90DC-DBCBC37727F9

NOTE: there is an implicit "deny any any" at the end of all the statements so whatever is not previously permited will be denied.

Good luck...

View solution in original post

Glennmar Milliner · ‎11-04-2015

ifeoyenuga

It depends on the devices you have (router/switch) and it you just want to restrict the bandwidth they use for internet access or if you want to block it completely. If you want to limit the bandwidth used then QoS would be an option but if you want to deny the access to the internet entirely then an ACL will be the way to go. To me it looks like you really want the second option. You should use an extended ACL matching the destination ports used for http.

Let us assume that those users that you want to restrict are on a 10.10.10.0/24 network.

R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#
R1(config)#ip access-list extended nonotointernet
R1(config-ext-nacl)#
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq pop3
<--- will allow TCP traffic for port 110 --->
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq 995
<--- will allow TCP traffic for port which is used for POP3 securely --->
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq smtp
<--- will allow TCP traffic for port 25 --->
R1(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 host 192.168.1.1
<--- will allow traffic (TCP/UDP) for your servers. This is for one specific host/IP, you could use a wildcard to widen the range of your servers are in a continuos range --->
R1(config-ext-nacl)#deny tcp 10.10.10.0 0.0.0.255 any eq www
<--- will deny TCP traffic for the web, port 80/http --->
R1(config-ext-nacl)#deny tcp 10.10.10.0 0.0.0.255 any eq 443
<--- will deny TCP traffic for https --->
R1(config-ext-nacl)#

So without all the explanations it will look like this.

R1(config)#ip access-list extended nonotointernet
R1(config-ext-nacl)#
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq pop3
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq 995
R1(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq smtp
R1(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 host 192.168.1.1
R1(config-ext-nacl)#deny tcp 10.10.10.0 0.0.0.255 any eq www
R1(config-ext-nacl)#deny tcp 10.10.10.0 0.0.0.255 any eq 443
R1(config-ext-nacl)#

You could do a "?" after eq to see what programed options you have on your IOS.

Apply it to the interface or vlan coming back to your location. The direction and interface where you apply it could vary.

R1(config)#interface fastEthernet 0/0
R1(config-if)#
R1(config-if)#ip access-group nonotointernet out

Check out the following link, it will give you more details on how it works and what you could actually do...

IP Access List Overview
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-access-list-ov.html#GUID-1918DDA1-E728-4CD7-90DC-DBCBC37727F9

NOTE: there is an implicit "deny any any" at the end of all the statements so whatever is not previously permited will be denied.

Good luck...

ifeoyenuga · ‎11-05-2015

Ok. Tried it and it works but still need to check for more ports t allow and block. The article really helped.

Thanks all

Glennmar Milliner · ‎11-05-2015

ifeoyenuga

Great, glad to know it helped. The limit is infinate what you could actually do. Just keep in mind that ACLs will stop checked the entries (known as sequence) once it hits one that complies. So in other words if you have a entry/sequence denying a packet which is actually permited in one futher along the line then it will stop at the deny statement and it is not going to worry about looking at the others. So just dont block what you are supposed to allow :).

Good luck.